GoBlog icon indicating copy to clipboard operation
GoBlog copied to clipboard
verified publisher icon jlelse

Consider limiting reactions as to avoid DOS/Abuse

Open AmurgCodru opened this issue 1 year ago • 2 comments

Hi

While testing reactions locally i noticed I could add tens if not hundreds of reactions and there seems to be no limit to them.

Is this the intended usage? I'd imagine a BOT spamming the DB with thousands of reactions

I was thinking of a limiter per IP (or hashed IP to avoid GDPR) to allow one of each per 24 hours.

What do you think?

I'll probably need to have a look at other systems to see how well it behaves.

Out of curiosity haven't you noticed bots trying to cling to various API's on your website?

AmurgCodru avatar Jan 13 '25 18:01 AmurgCodru

Yeah I noticed this as well, I have posts with almost a million reactions, probably due to someone trying to reach non-existing limits. But I tried to keep the code for this feature as performant as possible and never noticed any impact due to it. I guess the best way to set a rate limit would be to use some reverse proxy like Caddy and configure a rate limit there.

jlelse avatar Jan 15 '25 15:01 jlelse

Ok, nice. A "limit" might be usefull in some cases as to give the reactions some value, otherwise a single person can give 100 reactions and you wouldn't know if it where genuinely 100 people or 1 person who did it:). Yeah I guess caddy can rate limit, but this could also happen locally.

AmurgCodru avatar Jan 15 '25 15:01 AmurgCodru